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Abstract 

We present a formal proof of a time-triggered hardware interface. The design implements the bit-clock 
synchronization mechanism specified by the FlexRay standard for automotive embedded systems. The 
design is described at the gate-level. It can be translated to Verilog and synthesized on FPGA. The proof 
is based on a general model of asynchronous communications and combines interactive theorem proving in 
Isabelle/HOL and automatic model-checking using NuSMV together with a model-reduction procedure, 
IHaVelt. Our general model of asynchronous communications defines a clear separation between analog 
and digital concerns. This separation enables the combination of theorem proving and model-checking 
for an efficient methodology. The analog phenomena are formalized in the logic of Isabelle/HOL. The 
gate-level hardware is automatically analyzed using IHaVelt. Our proof reveals the correct values of a 
crucial parameter of the bit-clock synchronization mechanism. Our main theorem proves the functional 
correctness as well as the maximum number of cycles of the transmission. 

1 Introduction 

Communications in distributed systems inherently are asynchronous. To cope with clock imperfections 
different clock synchronization algorithms are required. FlexRay [T] defines a standard for reliable com- 
munications in safety-critical automotive applications. In particular, it defines a bit-clock synchronization 
algorithm that guarantees proper bit transmission between two independently clocked registers connected 
via a shared bus. In this paper, we prove the formal correctness of a hardware interface implementing this 
bit-clock synchronization algorithm. 
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Figure 1: Asynchronous communications and metastability 

Figure [TJ illustrates one difficulty of interfacing two independently clocked register^. Assume a sender 
and a receiver communicating via a shared bus. This picture first shows the sender clock and the signal 

1 Our presentation owes a great debt to Moore's introduction 1141 . In particular, Figure [T]is largely inspired by Figure 2 of 
Moore's paper. 
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output on the bus. The sender output progressively changes from 1 to and then from to 1. In the picture, 
the receiver clock is slightly out-of-phase, i.e., receiver edges appear slightly after sender ones. It might be 
possible for the receiver to sample a signal that is neither a logical nor a logical 1 (See period A and B 
in Figure [T]). In that case, the receiver reaches a metastable state and ceases to behave as a digital device, 
i.e., its output is oscillating between high and low voltages. Metastability cannot be avoided [T3]. After the 
resolution time, the receiver output stabilizes to a well-defined value. In the picture, the resolution time 
is less than a clock cycle. The receiver output stabilizes to (period A) before the end of the cycle. The 
resolution value is non-deterministic. In Figure [TJ the first metastability resolved to the value sent by the 
sender but resolution to the negation of this expected value also is possible (see period B). For the last two 
cycles, the sender keeps its output stable and the receiver can always sample a well-defined value. It never 
reaches a metastable state (periods C). In the picture, the clock periods of the receiver and the sender are 
always equal. In practice, clocks suffer from jitter. The clock period of one clock is not constant over time, 
i.e., two successive clock cycles will have different lengths. Clocks also suffer from drift. The frequencies of 
two independent clocks arc drifting from each other over time. 

The FlexRay interface guarantees proper transmission despite jitter, drift, and metastability. The basic 
idea is that senders keep their output stable long enough to create a sweet spot for sampling on the receiver 
side. We call this stable period a safe sampling window. To prevent metastable states, receivers sample 
bits in the middle of this window. If receivers are faster or slower than the sender they will read bits at 
the beginning or at the end of this window. But if this window is large enough, they will still sample in 
the region where sender output signals are stable. To prove the correctness of our implementation of the 
FlexRay algorithm, we develop an abstract and formal model of jitter, drift and metastability. This model is 
general and can be reused in other proof efforts. Our proof shows how to use this abstract model of analog 
phenomena to reason about digital hardware designs. 

The abstraction of analog phenomena is captured in Proposition [5l (Section [4~6| . This proposition states 
precise conditions on the signal produced by the sender. These conditions guarantee successful data trans- 
missions. In Figure [JJ the last bit can be sampled properly because the sender keeps its output signal stable. 
The conditions of Proposition[S]cnsure that the sender keeps its output stable long enough to let the receiver 
sample properly. This proposition mentions analog entities only. Our goal is to analyze digital designs. 
Proposition [6] (Section 15 .3[) identifies conditions that the sender part of the hardware interface must satisfy 
to ensure proper reception at the receiver part of the hardware interface. These conditions concern digital 
aspects only. The formal analysis of hardware designs can abstract away from all analog considerations 
and stay in the scope of usual automatic verification techniques, e.g., model-checking [Sj. Our main theo- 
rem (Theorem [JJ Section \7} proves that a message of I bytes can be sent and recovered properly using our 
hardware implementation despite imperfect clocks and asynchronous communications. 

Our model and proof have been developed entirely within the Isabelle/HOL [15] theorem prover. Our 
abstract model of asynchronous communications and the hardware design are represented in the logic of 
Isabelle. Interactive theorem proving is used to define our abstract model and prove Propositions [5] and [6] 
Properties of the hardware designs are automatically proven using the NuSMV model-checker [7] . NuSMV is 
used within Isabelle via a model-reduction interface, named IHaVcIt [21] [20]. The synchronization mechanism 
used in the design is based on resetting a counter when a specific sequence of bits is detected. This specific 
reset value is crucial to the correctness of the algorithm. In the proof of Theorem [JJ Statements 1 and 2 
identify the exact values ensuring synchronization. This shows that the values proposed in this paper and in 
the FlexRay standard are correct while the value proposed in an early version of our hardware interface [1] 
is not. 

In summary, our contribution consists in (1) a clear presentation of a precise model of asynchronous 
communications; (2) the combination of this model with the discrete semantics of hardware design; (3) a 
hybrid verification methodology combining automatic tools with interactive theorem proving; and (4) the 
proof of the hardware implementation of a time-triggered interface. Our proof reveals the specific values of 
a crucial parameter that ensure proper sampling of arbitrary long messages. Some of these results have been 
presented in previous publications [181 119] . This paper gives a more precise and comprehensible presentation 
of a unified and extended version of them. 



2 



6 

TT 

c 

t 

e u (x) 

Pi 
a 

X 
t h 

ts 

^Pmax 

s(t) 

n 

m 

C(M) 

7(0 
elk 11 

C6 U 
OUt u 

inp u 



Bound on the jitter of all clocks 
Bound on the drift (number of clock cycles) 

sender cycle 
receiver cycle 

real-time of the occurrence of edge number x on unit u 
"the mark" (receiver cycle £ affected by sender cycle c) 
mctastability factor (0 or 1 depending on metastability) 

distance from the mark 
drift factor (-1, 0, or 1) 
register holding time (real number, % of receiver clock) 
register set-up time (real number, % of receiver clock) 
register minimum propagation delay (real number, % of sender clock) 
register maximum propagation delay (real number, % of sender clock) 

value of signal s at real-time t 
abstract logical value representing signal oscillations 
clement with index i in list / 
conversion to {0, 1} of signal s at real-time t 
conversion of list of bits I to a signal taking values in {0, 1, ft} 

clock of unit u 

clock enable signal of output register of unit u 
output signal of output register of unit u 
input signal of input register of unit u 
input or output register of unit u 
analog register of unit u 



Table 1: Notations 



In the next section we give an overview of our model and its use in the verification of the hardware 
interface. The bit-clock synchronization algorithm and its hardware implementation are described in Sec- 
tion [3] The hardware design can be translated to Verilog [T^] and synthesized on FPGA. We present our 
model of asynchronous communications in Section [4] This Section presents Proposition [5l We explain the 
principles of our combination of Isabellc/HOL and IHaVcIt/NuSMV in Section [5] and illustrate the derived 
proof method using a simple example in Section [6l 

Section [7] proves our correctness theorem by induction on the number of bytes in messages. It shows the 
values for a correct algorithm and gives details about the induction step. The difficulty of this proof is that 
the main theorem states the correctness of the receiver state machine and the synchronization hardware. The 
latter involves reasoning about analog phenomena. These two facts are not independent as the hardware 
controls the state machine and vice versa. We need to prove their correctness simultaneously. Finally, 
Section [8] discusses related work and Section |9] presents our conclusions. 

2 Overview of our model and our proof 

This section gives an overview of our formal model and proof. It introduces principles without giving formal 
definitions. Some notations are mentioned in this section, but only defined later on in the paper. Table [1] 
summarizes the notations used all along this paper. 

2.1 Abstract model of asynchronous communications 

Asynchronous communications are facing three issues: clock drift, clock jitter, and metastability. Clock drift 
denotes the fact that clocks have different frequencies. Clock jitter denotes the fact that the frequency of 
one particular clock is not constant over time. This means that two consecutive clock cycles may have two 
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different lengths. Finally, registers may sample undefined signals and reach metastable states. Our formal 
model of asynchrony takes these three aspects into account. 

Clock jitter is formalized in Definition [T] (notations S, Section |4"T2"|) . The bound on the jitter defines the 
maximum and minimum length of the clock period of all clocks in the system. From this bound on the clock 
jitter, we derive in Proposition [T] bounds on the drift between two clocks. Our bound is expressed as the 
maximum number of cycles in which the number of clock edges - called clock ticks - of two clocks may differ 
by at most one. This maximum number of cycles is denoted as tt. Given two clocks u and v, our bound 
states that if clock u advances by a < -k clock ticks then it is known that clock v will advance by a ticks or 
a ± 1 ticks. Our bound on clock jitter is the same for all clocks of a system. Consequently, our bound on the 
clock drift also is the same for all pairs of clocks. Metastability is modeled in the formal definition of analog 
registers (Figure |H1 Section I4T4"]) . When a register samples a signal that is neither a logical 1 nor a logical 0, 
its output oscillates before stabilizing. Oscillations are represented by an undefined logical value (notation 
Q). Resolution is represented by a non-deterministic choice between and 1. 

A sender cycle is often referred to as cycle c. A receiver cycle is often referred to as cycle £. The time of 
the rising edge starting cycle x on unit u is noted e u (x) (Equation [U Section 03]). On a receiver unit, the 
rising edge £ that is the closest in time to sender rising edge c is said to be "marked" (or "affected") by c, 
notation mk(£, c) (Sec Definition [3J Section [4. 5[) . According to our bound on the clock drift and from a pair 
of cycles c and £, we know the mark of any cycle that is less than tt cycles away from sender cycle c. Given 
a mark mk(£, c) and a distance a < n, the mark for all cycles c + a is known with an error of at most one 
cycle, i.e., we have mk{^ + a + \, c + a) with x & { — 1, 0, 1} (Proposition [3J Section |4"3|) . As edges c and £ 
appear approximately at the same time, at the time of edge £, the output signal of the sender output register 
might not be stable yet - i.e. still between a logical and a logical 1 - and the receiver input register may 
become metastable. The resolution of this metastable state is a non-deterministic choice that might be the 
opposite of the value sent by the sender. This resolution to the wrong value might introduce one cycle delay 
in the receiver input stage. Resolution to the good value or no metastable states do not introduce any delay 
and are treated as a unique case. This case distinction is formalized in the metastability factor, notation /3| 
(See Definition [21 Section |4~51) . The metastability factor returns 1 if a delay is introduced at receiver edge £ 
marked by sender cycle c and otherwise. Formally, we have /3 G {0, 1}. 

Finally, the global error is the sum of the error introduced by metastabilities (factor 0) with the error 
introduced by clock imperfections (factor x)- This sum gives an error in the set { — 1, 0, 1, 2}. Proposition 2] 
fSection !4.6p shows that our implementation of the FlexRay algorithm can transmit bits properly even if the 
number of cycles needed to sample each byte might vary by four cycles. 



2.2 Integration of analog and digital aspects 
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Figure 2: Mixing Analog and Digital Signals 



We consider the setting pictured in Figure [21 The dotted box shows our model of asynchronous com- 
munications and two instances of our definition of an analog register (Figure El Section S3]). Outside this 
dotted box, the sender and the receiver units as well as their registers connected to the bus correspond to 
the descriptions made by hardware designers in their favorite hardware description language (e.g., VHDL or 
Vcrilog). Registers arc composed of a control signal (ce), input and output signals (e.g., inp r and out s ), and 
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a clock. In our case, designs are represented in the syntax of Isabelle/HOL. Nevertheless, our description 
corresponds to synthezisable Register Transfer Level (RTL) designs. The tool IHaVelt can automatically 
generate Verilog code from our Isabelle/HOL syntax^. The idea is to superpose our abstract model above the 
digital designs. These designs are not modified. The purpose of our formal model is to provide an abstraction 
of the analog phenomena related to asynchronous communications. It identifies constraints on the digital 
units that are sufficient to guarantee proper transmissions in our model of asynchronous communications. 
This abstraction is captured in Proposition [51 (Section I4.6| ) and Proposition [6l (Section I5.3| ). Proposition [5] 
identifies the constraints that guarantee proper transmission in our analog model. PropositionlHlshows which 
constraints are required on the (digital) sender unit to guarantee proper reception on the (digital) receiver 
side via our analog model. PropositionlHlmakes the connection between the digital world of hardware designs 
and the analog world of asynchronous communications. 

3 Synchronization mechanism and hardware implementation 

In this section, we introduce the protocol and its hardware implementation. We first give an overview of 
the format of messages and the principles of the protocol. We briefly discuss the implementation of sender 
units. We give more details on the implementation of receiver units. 

3.1 Protocol overview 

We consider the transmission of bits between an arbitrary number of units connected through a shared bus. 
A basic idea of the time-triggered approach is to give every unit access to the bus during a specific time slot. 
The concatenation of all time slots form a round (Figure [3]). Rounds are repeated over and over again. This 
gives every unit regularly access to the bus. During its time slot each unit can send one message. Outside its 
sending slot, a unit listens to the bus waiting for incoming messages. Each unit can send and receive. Idle 
units send a logical one to the bus. At each time, the value on the bus is the conjunction of all the values 
output by all units. 

tk ti 



sloto 


sloti 




slot, 




slot n _i 



round, 



Figure 3: Round and slots 



The division of a round into time slots is a global variable of the entire distributed system. To avoid a 
situation where two units are sending a message at the same time slot, there must be a global understanding 
on when every slot begins and ends. The difficulty is that each individual unit is independently clocked and 
each one of them may be at a different time point in a round. It might happen that unit i has its clock 
at the beginning of slot n whereas unit j is still in slot n — 1, or vice versa. One objective of the FlcxRay 
architecture is to maintain the global synchronous abstraction despite the clock imperfections. In this paper, 
we are analyzing a small part of it, namely the bit-clock synchronization algorithm. This algorithm handles 
the bit transmission between two independently clocked registers. We now describe it. The pictures and 
related explanations are extracted from the FlexRay standard (Chapter 3 Section 3.2.2. of [T]). 

The principle of the protocol is explained in Figure 2] The first line gives the output of the sender at each 
clock cycle. The second line shows the bit read by the receiver. The last line shows the value of a counter 
maintained by the receiver. The counter counts from one to eight. 

The basic idea is to mark the start of the transmission of each byte with a falling edge. This falling edge 
constitutes the byte start sequence BSS and is created by bits BSS[0] and BSS[1]. Each bit is sent for eight 



2 More information on the tool can be found at http://www-wjp.cs.uni-saarland.de/ihavcit/ 
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clock cycles. Figure 2] shows the sender output consisting of a byte surrounded by two falling edges. The 
counter is used by the receiver to determine which of the eight copies of a bit should be sampled. In the 
Figure, the receiver samples a bit when its counter equals 5. This sample point is called the strobe point. 
The counter is reset to 2 each time the receiver detects a falling edge. 
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Figure 4: Principle of the protocol 

In the Figure, the counter starts with value six instead of one. This illustrates a situation where the 
receiver is out of synchronization by three cycles. Because of this delay, the receiver samples the last copy of 
BSS[0]. Then, it detects a falling edge and the counter is reset to two. The receiver samples the fifth copy 
of the next bit. In the context of perfect clocks, the receiver would sample the fifth copy of every bit. After 
the first falling edge, the receiver misses one bit. This is illustrated by the cross replacing a or a 1. This 
corresponds to a situation where either the receiver clock was too fast and the receiver sampled the last copy 
of bit BSS[1] twice or the receiver was too slow and the receiver will sample the first bit of the byte twice. 
The consequence of these two situations is that the receiver will sample the fourth copy of every bit instead 
of the fifth one. After detecting the next falling edge and resetting the counter, the receiver samples the fifth 
copy again. So, despite clock imperfections the receiver always starts sampling the fifth copy of every bit. 
The receiver is kept in synchronization with the sender. 
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Figure 5: The protocol, drift and metastability 

Figure [5] shows how the protocol works in the presence of drift and metastability. Metastability may 
happen when the receiver samples signals that are transiting between a logical and a logical 1 or vice 
versa. As the sender produces eight copies of the same bit, metastability may only take place when sampling 
the first copy of each bit. The resolution of the metastable state is non-deterministic. In the left part in 
Figure [51 the receiver reads the correct value of the first bit of BSS[1]. This illustrates either that there was 
no metastability when reading this bit or that metastability resolved to the expected value. The right part in 
Figure [5] illustrates bad resolution when sampling the first bit of BSS[1]. The receiver reads a 1 instead of a 
0. In Figure^ the receiver always reads eight copies of every bit. In practice, because of clock imperfections, 
the receiver might only read seven copies. Formally, we can prove that at least seven copies are always read 
properly (Proposition [5j Section Ffl)]) . The fact that the eighth copy might be misread is pictured by a '?' 
in Figure [5] Depending on the effect of metastability these seven copies can be read "early" (left part in 
Figure [SJ or "late" (right part in Figure [SJ. 

Our bound on clock jitter and drift is such that missing one cycle in the period starting with the first 
bit of BSS[0] and ending with the last copy of the last bit of the byte is the worst case (Figure |4}. When 
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sampling the following BSS sequence and byte, a cycle might be missed again. The left part in Figure [5] 
shows the case where the receiver is faster than the sender. The counter is updated twice (to 3 and then to 
4) when reading only one copy of a bit. The consequence is that the receiver will strobe earlier and store 
the fourth copy of the bit. The right part in Figure [S] shows the case where the receiver is slower than 
the sender. The counter needs two copies of a bit to be updated from 4 to 5. The consequence is that the 
receiver strobes one cycle later and stores the sixth "good" copy of the bit. The idea is that at least seven 
copies of every bit will always be stable and ready to be read. The objective of the protocol is to strobe one 
of these seven "good" copies despite drift and metastability. The difference between the strobe point and 
the reset is crucial to the correctness of the protocol. Our proof (Section 17.51 statements [1] and [5]) shows 
that correctness is achieved when this difference is of at least one cycle and not greater than three cycles. 
For larger or smaller value of this difference the protocol fails. 

In summary, the main principle of this protocol is to use the BSS sequence as a "mark" used by receivers 
to synchronize with the sender. The falling edge of the BSS sequence "marks" the beginning of a new byte. 
When a receiver detects that mark it will reset its counter to a specific value. After sampling a byte and 
because of clock drift the counter of each individual receiver might be slightly different. They will detect 
the next mark with different values of their counter. But, they will all detect the next falling edge and reset 
their counter to the same value. They will all start sampling the next byte with the same value achieving 
synchronization. 

3.2 Sender module 

As idle units put a one on the bus, a sender starts a transmission with a zero. This bit is called the 
transmission start sequence, noted TSS. The sender then creates a rising edge by sending another zero and 
then a one. This sequence is called the frame start sequence, noted FSS. Before transmitting each byte, the 
sender starts with the falling edge of the byte start sequence made of BSS[0] = 1 and BSS[1] = 0. Finally, 
the sender ends the transmission with 2 bits creating a rising edge. The last sequence is called the frame 
end sequence, noted FES = 01. Let (a,b) be the concatenation of bit vectors a with b. A message to of I 
bytes is encapsulated into a frame /(to) with the following format: 

/(to) = (TSS,FSS,BSS,m[0],...,BSS,mp-l],FES) 
Each bit of a frame is sent for eight clock cycles. 




Figure 6: Control Automaton 

The sender embeds bytes into frames by the control automaton in Figure [51 As specified by the protocol, 
in each state the corresponding bit is generated eight times. The sender is connected with the shared bus 
through a register named R s with control enable bit ce s (See Figurc[2|). This paper focuses on the verification 
of message reception. We do not detail the sender implementation any further. 

3.3 Receiver implementation: Bit clock synchronization 

The receiver module implements the same state automaton as the sender. In each state, the receiver is 
expecting to receive the corresponding bit of the frame eight times. Beside the automaton, the relevant part 
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Figure 7: Input Stage 



of this receiver consists of the input stage pictured in Figure [7] The first two registers form a "synchronizer" 
used to remedy to metastability. Designers used a 2-stage synchronizer, which means that they assume that 
the resolution time of the metastability is less than one clock cycle. The results presented here would be 
equally applicable to synchronizers of any length. A five majority vote is performed. Signal sync is used to 
detect the synchronization sequence BSS. It is high if and only if the current voted bit does not equal its 
previous value and the state automaton is either in state idle or in state BSS[1]. When sync is high counter 
cnt is reset to 000 in the next cycle. Let s* be the value of signal s at hardware cycle t. Let z denote the 
state of the receiver automaton. Signal sync is defined by the following Equation: 

sync 1 ee v* ^ v*- 1 A (V = BSS[1] V z* = idle) (1) 

Counter cnt is defined as follows: 

(cnt t+1 = cnt 1 + 1 A -nsync 1 ) V cnt t+1 = 000 (2) 

The state automaton is clocked by signal strobe, which is high each time the counter reaches value 010 
and the automaton is not synchronizing, i.e., when signal sync is low. The formal definition of signal strobe 
is as follows: 

strobe 1 = cnt* = 010 A ^sync 1 (3) 

Each time strobe is high, the voted bit is stored in shift register BYTE. When the last bit has been stored 
(i.e., automaton is in state b[7]) and signal strobe is high, signal rb.we turns high and BYTE is written to 
the main receiver buffer. 

Our implementation differs slightly from the FlexRay guidelines. The standard suggests to reset the 
counter to 010 and to strobe when it reaches 101. We reset to 000 and strobe at 010. The parameter crucial 
to the algorithm is the difference between the strobe and the reset values. We chose to reset to 000 because 
it is slightly simpler to implement than a reset to 010. In our configuration, the difference between the strobe 
and the reset values is of two cycles. In the FlexRay standard, the difference is of three cycles. In a previous 
implementation of this algorithm [3], the counter is reset to 000 and strobe is high when cnt is 100. In this 
configuration, the difference between the strobe and reset points is of four cycles. One cycle more than in 
the FlexRay standard. We prove that the synchronization algorithm works only if this difference is of at 
least one cycle and not greater than three cycles. 

4 Asynchronous communications and the main statement 

This section presents our formal model of asynchronous communications. We first define signals and clocks. 
After that, we define our bounds on clock jitter and drift. After defining the metastability factor and analog 
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registers, the section concludes with the correctness of the bit transmission (Proposition [5J. 



4.1 Signals and clocks 

Time is represented by the nonnegative reals (R + ). We assume a finite number of electronic control units 
(abbr. ecu) that are connected through a shared bus. The set of all the units is noted U. 

A signal s is represented by a function s(t) from real time t to {0, 1, 51}: 1 and mean "high" and "low" 
voltages; f2 means any other voltage. Value ft abstracts in one logical value all voltages that cannot be 
identified as a logical 1 or 0. Formally, signals have the following functionality: 

s :R+ {0, } 

Because of their cyclic behavior, clocks are not represented by signals but by their period. The clock 
period of unit u is noted t u . This represents the ideal case. In practice, clock periods suffer from jitter and 
are not constant over time. Jitter is introduced hereafter in Section 14.21 Periods are different from zero. 
The time of the c th rising edge of clock clk u of unit u is given by function e. Formally, e is a function which 
converts discrete time to real time relative to the clock of unit u. 

e : N x U -S- K+ (4) 

Function e is defined as the product of c with the clock period: e(c, u) = c ■ t u . To simplify our notation, we 
shall write e„(c) instead of e(c, u). 

A clock cycle is defined by the time interval between two rising clock edges. Clock cycle c at unit u is 
represented by interval ]e u (c) : e u (c + 1)]. The interval is left open to represent the fact that the cycle starts 
when the clock edge has reached value 1. 



4.2 Clock jitter and clock drift 

Function e gives the ideal time of edges. In practice, clocks suffer from jitter and the length of a clock period 
is not constant over time. We assume that all clock periods of any clock deviate at most by a fraction <5 of 
a reference clock period. This reference clock is named clk re f. Its period is r re f. 

Definition 1. Bounded Clock Jitter. 

r u = i-s < — <i + s 

T~ref 

We are not interested in the deviation at each cycle, but in the number of cycles in which the number 
of ticks of two independent clocks may differ by at most one. Let tt be that number. In this interval, the 
maximum drift between two clocks is obtained between the slowest and the fastest clocks allowed by our 
bound on the clock jitter (Definition [TJ . We derive a bound on the clock drift from the ratio between the 
minimum and the maximum clock periods. From the bound on the clock jitter (Definition [1} and choosing 
7r = ^tj-, we prove the following proposition: 
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Proposition 1. Bounded Clock Drift 



„ „ 7T Min ("7",' , Tj ) 



1 Max (r, , Tj ) 
This property is preserved for any number less than 7r. 
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Figure 8: Behavior of the register w.r.t clock edge c 
4.3 Metastability factor 

Our model of metastability links three parts: (1) the undefined voltage fi, (2) the non-deterministic resolution 
of metastable states to a well-defined value, and (3) resolution to the negation of the expected value. Points 
(1) and (2) are related in the formal definition of analog registers (Figured]). The last point is captured 
by the metastability factor, notation j3f (Definition [5]) . We now specify the behavior of analog registers and 
formally define the metastability factor. Then, we continue with the formal definition of analog registers. 

Registers consist of one input signal inp, one clock signal elk, one control signal ce, and one output 
signal out. Figure [8] illustrates the behavior of a register. A new value (x) is input to the register at cycle 
c (interval ]e u (c) : e u (c + 1)]). During minimum propagation delay t Pmm the output signal equals previous 
value y. Because the control signal is high, the output oscillates (i.e., is f2) before stabilizing at new value 
x. If the control signal is low, the output does not oscillate and keeps its old value y. 

If the input or the control signals do not have a constant value during the setup time (noted t s ) before 
edge c or during the holding time (noted th) after edge c, the register may become metastable. This means 
that its output may still be f2 after t Pmax . After resolution of this metastability, the receiver input register 
will output either the value sent by the sender or its negation. The former case is equivalent to the case when 
there is no metastable state. Therefore, we always assume resolution to the negation of the expected input. 
This case distinction is represented by the metastability factor (/3). Metastability can only happen if an edge 
- say £ - (minus the setup time) appears while the sender output is undefined, i.e., before e s (c) + t Pmax . In 
this case, the metastability factor returns 1. It returns otherwise. Formally, the metastability factor is a 
function, which takes as arguments cycles £ and c, and two clocks. 

Definition 2. Metastability Factor. 

P{^,c,clk s ,clk r ) = if e r (£) — t s < e s (c) + t PmM .then 1 else 

To alleviate the notation, we shall write /?| instead of /?(£, c, clk s , clk r ). The notation /3| denotes whether 
sampling the bit sent at sender cycle c is affected by a potential metastability at receiver cycle £. 



4.4 Formal definition of analog registers 

A signal s is stable during time interval [ti : £2] if h holds the value at time t\ until time t%. A signal s 
has a defined value during time interval [t\ : t^] if it never equals £1 during that interval. Formally, this is 
expressed as follows|l: 

stadep(t 1 ,t 2 ,s) = 3be {0,1}, Vi £ [h : t 2 ],s(t) = b 



'Note: stadep means stable, defined, predicate 
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a R u (c, clk u , ce u , inp u , out°) = 
if c = then Xt.out^ else 

stadep(e u (c) - t s ,e u (c) + t h , ce u ) 
A stadep(e u (c) - t s , e„(c) + t h , inp u ) 
if ce u (e u (c)) = 1 then ;; update with new value 



if 



then ;; stable inputs - no metastability 



At. 



At. 



t G e u (c)+]0 : t Pmm ] 
t G e u (c)+]t Pmin : t Pn 
t G e u (c)+]t Prr 



t 



5u(c)+]0 



a R u (c -I,.. -)(e u (c)) 
fl 

mp u (e u (c)) 

fi 

else ;; keep old value 

a R u (c - 1, . . )(e u (c)) 

fi 

endif 

else ;; metastability - non-deterministic resolution to or 1 



VtG e u (c)+}0 : t u ] 
t £ e u (c)+]0:T„] 



to make function total 



to make function total 



At < 



a R u (c - 1,. . .)(e u (c)) 
fl 

x G {0,1} 
fl 

endif 
endif 



t G e u (c)+}0 : t Pm J 

t G e u (c)+]t Pmin : t u -t s [ 

t = e u (c+l) + [-t s :0] 

t ^ e u (c)+]0 : t u ] ;; to make function total 



Figure 9: Definition of Analog Registers 



The formal definition of the analog behavior is given by function a R u (Figure [9]). We are interested in 
the output value of a register for all real times during cycle c. Function a R u takes as arguments a cycle c, a 
clock signal clk u , a clock enable control signal ce„, an input signal inp u , and the initial output value outf- 
it generates a signal. 

If no setup or holding time violation occurs, the register behaves normally. If the control signal is low, 
the register keeps its old value (at the previous cycle c — 1); if the control signal is high the output keeps its 
previous value during t Pmin , then oscillates (i.e., is O) to finally reach its final value at time e u (c) + t Pmta . If 
input signal inp u or control signal ce u is not stable and defined during interval e u (c) + [—t s : th], the register 
becomes metastable. The output equals the previous computation until t Pmin (included) and fl afterwards. 
At the end of the cycle, metastability has been resolved and the output equals an arbitrary but defined 
value. To make the function total, fl is output for all times outside the cycle. To alleviate our notation, we 
shall write a i?£ instead of a R u (c, clk u , ce u , inp u , out^). 

Formally, all timing parameters (th , t s , t Pmm , t Pmax ) are real numbers expressed as percentages of the local 
clock period. In the remainder of this paper, if not precise otherwise, propagation delays are relative to the 
sender clock and setup and holding times are relative to the receiver clock period. We assume that the sum 
of these parameters is less than 1. 

4.5 The "mark" 

The relation between a sender and a receiver is pictured in Figure (TU] A sender starts sending three different 
bits at edges c, c + 8, and c + 16. Each bit is sent for eight clock cycles. If we take a closer look around 
edge c, the sender output is not modified before e s (c) + t Pmm , when it moves from y to fl (see Figure [H] for 
more details). If a receiver samples before that time, it will get the old value. It is not yet affected by the 
new transfer. In contrast, sampling strictly after that time will affect the receiver, either it will become 
metastable, or it will detect a new value. At most, it will take a receiver a full cycle to sample after this 
time. Let £ be the first receiver edge after e u (c) + t PmiH . As this edge is the first one to be affected by the 
behavior of the sender, we denote it as "marked with edge c", noted mk(t;,c). If there is no ambiguity, we 
may drop the first argument. We name this edge "the affected cycle". It is formally defined as follows: 
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e s (c+ 16) 



xe {-1,0,1} 

mkH + 8 + x , c) 



Figure 10: Relating Receivers and Senders 



Definition 3. Affected Cycle. mk(£, c) = e r (£) + th S e u (c)+]t Pn 



T r \ 



Suppose that edge £ is affected by some cycle c at which a sender puts a new bit on the bus. If the 
sender sends another bit within a number of cycles (a) less than our bound 7r, the corresponding affected 
cycle may be seen by the receiver with a potential error of one cycle, i.e., at e r (£ + a ± 1). This means that 
subsequent marks are known with the same error. We name \ G {~ 1, 0, 1} the drift factor. Figure [TOl shows 
these marks for a = 8 and a = 16. Formally, we have the following Proposition: 

Proposition 2. More Affected Cycles 

r r A T s A < a < tt A mfc(£, c) — > V xG {_i,o,i} m M£ + a + X, c + a ) 

Proof. We do a case analysis depending on the position of £ + a regarding the receiver cycle expected 
to be affected by sending at sender cycle c + a. The expected affected cycle should be in the interval 
e„(c + a)+]i Pmm : r r ]. If e r (£ + a) is (1) before that interval, we prove that it contains e r (£ + a + 1); (2) 
within that interval, this proves the obvious case where x = 0; (3) after that interval, we prove that it 
contains e r (£ + a — 1). □ 

Proposition [2] is important because it gives us which marks can be deduced from the knowledge of a 
single one. In most of the proofs done in the analysis of the hardware, we always assume only one mark. 
Then, we use Proposition [2] to obtain subsequent marks and perform a case analysis on the three possible 
times of these marks. 



4.6 Correctness of asynchronous communications 

To ensure that the receiver will not always sample f2's, the sender keeps its output constant for several 
cycles (say k cycles). If k is large enough there exists a "sweet spot" in which the receiver can sample safely. 
Formally, the safe sampling window of length k w.r.t. cycle c (noted SSW£) is defined as follows: 

Definition 4. Safe Sampling Window. 

SSW£ =}e c i k (c) + t Pmax :e c i k (c + k + l)+ t Pmin ] 

We prove that under our drift hypothesis, SSW£. entails up to k — 1 receiver cycles (or k edges), even in 
case of metastability. This shows the number of "good" samples that guarantee reception by the receiver 
without metastability. 

Proposition 3. SSW's are large enough. 

T r A T s A mk((, c) A n + 1 < k < it -)■ V/ < n, e r (£ + + 1) + [-t s : t h ] e SSW£ 
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The proposition reads as follows. The first two terms of the hypothesis state that jitter on the receiver 
and sender clocks is bounded. The third one states that the bit sent at sender cycle c corresponds to receiver 
cycle £. The last term assumes that k is not greater than our bound it on the clock drift. The conclusion 
shows that the time of n receiver edges together with their set-up and holding times - hence n + 1 = k cycles 
- is within the safe sampling window. Note that there are k cycles even in the presence of metastability 

09 = 1)- 

Proposition [4] below proves that sampling in a safe sampling window is correct. This first line assumes 
that jitter is bounded, sender cycle c is related to receiver cycle £, and that k is not greater than our bound 
7r on the clock drift. The second line expresses the fact that the sender creates a safe sampling window of 
length k. The third and fourth assumptions state that control and input bits must be stable and defined 
during interval e s (c)+] — t s : th] to avoid metastabilities on the sender side. The last two assumptions state 
that there is a connection between the sender and the receiver and that the time of receiver edge £ is in the 
safe sampling window (SSW|). The conclusion shows that the output of the receiver register equals the bit 
sent by the sender. 

Proposition 4. Correct Transfer. 

r r A r s A mfc(£, c) A c > A n + 1 < k < ir (*bounded drift, affected cycle*) 

A ce s (e s (c)) = 1 A V7 € [1 : fc], ce s (e s (c + 1) = (* SSW£ *) 

A VZ € [0 : fc + 1], stadep(e s (c + I) - t S) e s (c + I) + t h , inp s )(*input *) 

A VZ G [0 : fc + 1], stadep(e s (c + I) - t s , e s (c + l) + t h , ce s )))(* control*) 

A Vc, In r = a i? s (c, clk s , ce s , inp s , out®) A Vi, ce r {t) = 1 (*analog connection*) 

A e r (0 + [-t s : t h ] € SSWfe (* good cycle *) 

-> aR${er{S + 1)) = J«.(e.(c)) 

Proof. First, Proposition [3] gives us the position of receiver edges in the safe sampling window. Then, we 
case split on the position of interval e r (£)+] — t s : th]- We set two reference points: e s (c+l) and e s (c+l + fc). 
We prove the conclusion for 5 cases depending on the position of interval e r (£)+] ~ : th] regarding these 
points. □ 

Finally, Proposition [5] hereafter combines Proposition [3] and Proposition [4] to prove that for all edges in 
the safe sampling window the receiver register samples properly. The five hypotheses equal the first five 
hypotheses of the previous proposition. The conclusion shows that the output value of the receiver register 
equals the value sent by the sender at cycle c for x cycles. Cycle £ + denotes the first "good" sample after 
cither a bit inversion introduced by wrong resolution of a metastable state (/3| = 1) or a proper reading at 
receiver cycle £ = 1). Function a R^ + ^ +x (t) represents the output signal of the receiver register during 
each "good" cycle x. We consider the value at the end of each cycle, i.e., at time e r (£ + /3| + x + 1). 

We illustrate Proposition [5] for the FlexRay protocol and its seven "good" values sketched in Section I3TT1 
in Figures Q] and The FlexRay protocol specifies that senders must send a bit for eight clock cycles, i.e., 
they keep their output stable for seven extra cycles. So, we have k = 7 and n = 6. The receiver always reads 
seven good copies, for x = to 6. Depending on the value of /3|, these seven good copies are read "early" 
(fit = 0) or "late" (M = l). 

Proposition 5. Known Inputs. 

r r Ar s Amfc(£,c)Ac>OAn + l < k < ir (*bounded drift, affected cycle*) 
A ce»(e a (c)) = lAVi6[l:*] I ce 8 (e s (c + = (*SSW c k *) 
A V7 G [0 : fc + 1], stadep(e s (c + I) - t s ,e s (c + I) + t h , inp s ) (Hnput *) 
A VZ € [0 : k + l],stadep(e s (c + l) - t s ,e s (c + l) +t h , ce s )))(* control*) 
A Vc, In r = a R s {c, clk s , ce s , inp s , out®) A Vt, ce r (t) = 1 (*analog connection*) 

-> Vx e [0 : n] : a Ri +Pl+X (e r ^ + ft + x + 1)) = In s (e s (c)) 

Proof. Proposition [3] gives us n + 1 cycles in the safe sampling window. For each one of them we conclude 
using Proposition |4j □ 
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This last Proposition will be rephrased in the next section to mix analog and digital worlds. It is key 
because it gives us which inputs are correctly sampled by the receiver when knowing the cycle at which the 
sender has put a bit on the bus. The " digitalized" version of this formula will convert the conclusion to 
mention bits and not signals. 

5 Continuous model and discrete semantics 

Our model of asynchronous communications mentions analog entities only. The semantics is based on 
functions and a dense representation of time. Ultimately, we want to use this model to verify hardware 
designs described in another semantics based on a discrete notion of time and transition functions. Before 
describing our approach, we define type conversion functions and rephrase Proposition [5] to match bits and 
not signals. 

5.1 Principle and soundness 

We recall Figurc[2]that illustrates our integration of our analog results in the analysis of digital designs. Our 
model of asynchrony is shown inside the dashed box. The remainder of the Figure corresponds to digital 
designs that are actually used to synthesize hardware. These designs are not modified. Our model is simply 
inserted as a filter of the receiver inputs. Functions 7 and ( converts bits to signals and signals to bits. We 
precise their definition in the next subsection. 

Digital designs are represented by their transition function, one application of which represents the 
computation of one clock cycle. The sender and the receiver parts are analyzed separately. The analysis 
of the sender does not need any analog arguments. It mainly consists of the proof that sender output out s 
follows a specific frame format. The analysis of the receiver is done assuming correctness of the sender 
and that the connection of receiver input inp r is done through our model of asynchrony. We write that an 
element s u of unit u has bit-value x at cycle c - i.e., after c applications of the transition function - as s u — x. 
Formally, we assume that the value of input bit inp r at hardware cycle c equals the output value of register 
a R r at the time of edge c + 1: 

\/c,inp c r = C( a Rr,e r (c+l)) (5) 

The left hand side represents the value that should be in register R r at c + 1. As the analog register is not 
part of the transition function of the receiver, one application of the latter compensates this difference. The 
right hand side is always a defined value. 

5.2 Mixing bits and signals 

Function 7 is not given any particular definition. We only assume that it produces a signal such that during 
the metastability window around cycle i + 1 it outputs the value with index i in the bit list. This property 
is defined by predicate bv2sp: 

bv2sp{j,l u ) ee Vt,i,t G e„0'+l)+] -t s +t h ] ->■ 7(7 U ) = l u [i] 

Function £ takes as input a signal and a time. If the value of the signal at that time is a bit value, this 
value is returned. Otherwise, a non-deterministic choice is made and some bit value is returned. 

((s,t) = if s(t) G {0, 1} then s(t) else x G {0, 1} 

5.3 Combining two worlds 

Let lists ce s and inp s be the bit lists containing values given to the analog sender register a R s . If they both 
satisfy predicate bv2sp, list element ce s [c — 1] or inp s [c — 1] corresponds to the bit value given to the sender 
analog register at time e s (c). 
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Proposition [5] is embedded into a digital context in the following statement. We assume that (a) clock 
drift is bounded; (b) function 7 correctly translates bit lists ce s and inp s ; (c) the digital control bits are 
high once and then low k times to create a safe sampling window. Analog hypotheses are concerned with 
the connection of the sender with the receiver and the clock drift. Obviously, they cannot be "digitalized" . 
These assumptions will be used in almost all theorems, lemmas and propositions proved in the remainder of 
this paper. We denote them by H, which is formally defined as follows: 

r r A T s A n + 1 < k < it A mk(£, c) (*bounded drift, mk(c)*) 
Vc, inp r — a Rs{c, clk s ,j(ce s ),j(inp s ), out° s ) A Vt, ce r (t) — l(*link*) 
bv2sp(j 1 ce s , elks) A bv2sp{^, inp s , clk s ) (*modeling hypotheses*) 
ce s [c + a- 1] = 1 AO AV7 G [1 : k], ce s [c + l- 1] = 0(*scnder*) 

Under these assumptions, we prove in Proposition [5] below that the "digitalized" output of the analog 
receiver register equals the digital input of the sender at cycle c. Comparing to Proposition[5j this proposition 
differs in its hypotheses and its conclusion. As shown above, hypothesis H mentions primarily digital entities. 
The left hand-side of the conclusion of Proposition [5] is the application of conversion function ( to the 
conclusion of Proposition [5] The right hand-side is a bit instead of a signal. 

Proposition 6. Back to the Digital World. 

H -> V.t G [0 : n] : (( a l£ + ^ +x , e r (f + /?£ + x + 1)) = inp 8 [c - 1] 

Proof. By definition of predicate bv2sp, j(inp s ) and j(ce s ) are stadep for the required cycles. Proposition [5] 
concludes. □ 

6 A proof example: correct voted bits 

To prove that bytes are sampled correctly, we need to prove that each sampled bit is correct, i.e., that 
the value of the voted bit is correct. This is a very simple lemma which illustrates the combination of 
the continuous time model and the discrete time model, as well as the combination of Isabellc/HOL with 
IHaVcIt and NuSMV. In this section, we first describe how hardware designs are described and verified in 
the IHaVelt environment. Then, we show how to incorporate digital properties in our model of asynchronous 
communications. 

6.1 The IHaVelt environment 

IHaVelt stands for Isabclle Hardware Verification Infrastructure and has been developed by Tverdsy- 
shev [5U]. It is written in Standard ML and implemented as an oracle proof tactic in Isabelle/HOL. IHaVelt 
provides a connection to external verification tools: the NuSMV and SMV model-checkers, and different 
SAT solvers. The environment also provides a tool to generate Verilog descriptions that are then synthesized 
on FPGA. The main contribution of this tool is an efficient model-reduction algorithm. This algorithm is 
based on a combination of transformation and domain reduction techniques. These techniques provide data 
reduction and elimination of functions and memories. Details on these algorithms fall outside the scope of 
this paper (See [50] for more details). 

6.1.1 Hardware description in Isabelle/HOL 

IHaVcIt considers a subset of the Isabelle/HOL syntax that is suitable to describe hardware, i.e., descriptions 
can be translated to Verilog. The IHaVelt subset considers the following basic types: Boolean, bit vectors, 
naturals, integers, lists, functions, finite enumeration, and records. Infinite types are shrunk using predicate 
sets. IHaVelt provides a library of predicate sets of the aforementioned basic types, e.g., bv_n(n) and 
arr_of(n, t) define the sets of bit vectors of length n and arrays of n elements of type t. Combinatorial 
circuits are represented using Isabelle/HOL expressions, non- recursive functions and uninterpreted functions. 
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Functions are constructed using Isabelle/HOL operators. Uninterpreted functions are translated to Verilog 
modules without bodies. They are typically used to represent memories. Sequential circuits are represented 
by standard Mealy machines. State components are stored in registers which constitute a specific type used 
in the translation tool. 



inp r 



R 



R 



SH[3:0] 



Figure 11: RTL description of majority vote 



We shortly illustrate hardware description in Isabcllc/HOL on the very simple example of the computation 
of the voted bit noted v in Figure [3 Figure QT] shows the schematics. The state component of this circuit is 
defined by a record containing the two input registers and a 4-bit shift register. Using Isabelle syntax, we 
havfl 

record t_rBUSC0N = 

rR : : t_bitreg 
rRH : : t_bitreg 
rSH4 : : t_shif treg4 

Majority is computed using a cascade of multiplexers (noted mux). A multiplexer is defined as a function 
taking as arguments two bit-vectors and a select bit. It returns the selected bit-vector. 

constdef s mux_impl : : "bv => bv => bit => bv" 

"mux_impl xs ys s == (if (bit2bool s) then xs else ys) " 

In computing the majority multiplexers arc used to introduce a or 1. 

constdefs major_help_impl : : "bv => bit =>bv" 

"major_help_impl b sel == mux_impl (b@[l]) ([0]@b) sel" 

All the multiplexers are connected together to compute the 5-bit majority voting. 

constdefs major5_impl : : "bv => bit" 
"major5_impl b == 
let 



vO: 


:bv 


= [(nth b 0)] 


> 






vl: 


:bv 


= major_help_ 


impl vO 


(nth b 


1) 


v2: 


:bv 


= major_help_ 


impl vl 


(nth b 


2) 


v3: 


:bv 


= major_help_ 


impl v2 


(nth b 


3) 


v4: 


:bv 


= major_help_ 


impl v3 


(nth b 4) 



in 



(nth v4 2)" 

Finally, the voted bit is computed as the majority of the four values stored in the shift-register and the value 
stored in the second input register. 

4 RH denotes the second input register and SH4 the 4-bit shift register in Figure [TT] An V indicates that the element is part 
of the receiver interface. 
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constdefs s_v : : "t_rBUSC0N => bit" 
"s_v rbuscon == 
let 

rh_bit::bit = rRH_read_impl rbuscon; 
shif t_dout : :bv = rSH4_read_impl rbuscon 

in 

(maj or5_impl ( [rh_bit] @shift_dout) ) " 
6.1.2 Theorems in IHaVelt 

IHaVcIt supports the proof of combinatorial properties and temporal properties expressed cither in linear or 
branching time temporal logic (LTL or CTL). A combinatorial property is a Boolean expression where all 
free variables are quantified over their subtype, e.g., Va G arr_of(4, bv-n(8)) :P(a). Typically, combinatorial 
properties are given to a SAT solver or any other kind of decision procedures. The syntax and semantics of 
the LTL and CTL formulas supported by IHaVelt can be found in Tverdyshev thesis [2DJ. These formulas 
correspond to the usual properties described in standard textbooks (e.g., [HI The formalization is inspired 
by the case-study "Verified Model Checking" in the Isabelle/HOL tutorial [T5] , 

On the circuit computing the majority voting we prove that if the input bit is equal to bit value b for 
seven clock cycles, the voted bit equals b for seven cycles with a delay of four cycles. Let X denote the LTL 
next operator and X n {P) be defined as X n {X n ~ 1 {Py). This property is expressed by the following formula: 

inp r = b A X(inp r = b) A X 2 (inp r = b) 
A X' i {inp r = b) A X\mp r = b) A X 5 (inp r = b) A X 6 (inp r = b) 

X 4 (v = b) A X 5 (v = b) A X 6 (v = b) A X 7 (v = b) A X 8 (v = b) 
A X 9 (v = b) A X w (v = b) 

Let CorrVotedBit(inp rl v) denote this property. Let K = (S,I,T) denote the Kripke structure representing 
the circuit where S is the set of states represented by record t_rBUSC0N, I is a predicate defining the set 
of initial states, and T is the transition function. In our case, we make no assumption on the initial states 
of the registers and / = True. The transition function is not detailed. It basically applies function s_v to 
compute the new value of the voted bit. It shifts all registers by one place to the right and inserts value inp r 
in the first register. We prove that property CorrVotedBit holds always. 

Proposition 7. K \=m DCorrVotedBit(inp r , v) 

Proof. This property is automatically proven by IHaVelt that applies model reduction and calls NuSMV. 
To reduce the state space, we prove it for each possible values of b (0 or 1). □ 

To use the above temporal property we translate it back to usual logic using the semantic description 
in Isabelle/HOL. Globally (□) means that the property holds for all positions of all traces. Let t denote 
an arbitrary position in a trace. Then, \3CorrVotedBit(inp r , v) translates to Vt.CoTTVotedBit(inp r , v l ). Let 
DX n (s) translate to Vt.s f+n . Then, Proposition [7] translates to Proposition [5] below: 

Proposition 8. Vx G [0 : 6] : inp l r +x = b^> v t+x+4 = b 

Proof. This proposition is the translation of Proposition [7] according to the LTL semantics. □ 

In the next section, we show how to combine this property with our model of asynchronous communica- 
tions and connect with the sender unit. 
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Substitution 
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good inputs 
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Shows: Property(t)J 
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Shows: Propcrtyft + a) 
with error \ 



Figure 12: Proof method 



6.2 A simple example: correct voted bits 

Our general proof method is illustrated in Figure 1121 The first step is to prove a temporal property on the 
design. In the example of the voted bits, this was done in Proposition [7] The structure of this property 
is very typical in our proof. We always prove a property on part of the design assuming a specific input 
sequence. The second step is to translate this temporal property in the logic of Isabellc/HOL using the 
semantics. This was the purpose of Proposition [5] The property is now dependent of an arbitrary position 
t in traces. Until now, the digital part of the receiver unit was analyzed. We now show how to include the 
sender and our model of asynchronous communications. 

We recall Figure [2] showing the connection of sender, our model of asynchronous communications, and 
receiver. Formally, this connection is expressed by Equation[5l In Proposition [8j we assume that the receiver 
reads an arbitrary bit value b. In reality, this bit value is put on the bus by the sender unit at cycle c. The 
receiver is then expected to read the sender output register, i.e., out c s in Figure[5J The third step of our proof 
method is to show that the receiver can indeed read this value in our model of asynchronous communications. 
In our example of the voted bits, we have to show that the receiver can read seven copies of each bit. This is 
the case if the sender creates a safe sampling window. This is exactly the statement of Propositions [5] and [6] 
Using these propositions, we can discharge the assumptions of our property in the analog world. In the 
FlexRay algorithm, k and n have values 7 and 6 in Proposition [51 The hypotheses obtained by instantiating 
k and n in % with these values is noted T~L[k < 7, n<i 6]. Finally, we obtain the following proposition: 



Proposition 9. H[k <\ 7, n < 6] A Equation [5|— > Vx G [0:6] 



mpr = out s 



Proof. Follows directly from Proposition |B] and Equation [5] by substitution. 



□ 



By combining this Proposition with Proposition [51 we obtain the correctness of the voted bit assuming 
asynchronous transmission, metastability, and clock drift. 



Proposition 10. H[k < 7, n < 6] A Equation [5|— > Vx G [4 : 10] : v i+ ^ +x = out c s 
Proof. Follows from Propositions [9] and [8j by substituting t by £ + /3| + 4. 



□ 



Typically, we obtain at this point a formula with a time reference at receiver cycle £ (or sometimes simply 
t). This reference corresponds to the mark, i.e., the association of a receiver cycle with a sender cycle (e.g., 
mk(£, c)). We are often interested in generalizing this formula to subsequent marks at a distance a < ir from 
the known one. This is exactly the purpose of Proposition [2] In the proof of the correct voted bit, we obtain 
the following proposition: 
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Proposition 11. 

H[k < 7, n < 6] A a < tt A Equation 0-> \/ Vx e [4 : 10] : ,;M-0c +e +*+« = 0U ^+ Q 

xe{-i,o,i} 

where 8 = a + x 

Proof. Proposition [5] gives us three possible marks, one for each value of x- For each one of them, we 
instantiate Proposition [TO] □ 



7 Formal proof 

In this section we give details on the formal correctness proof of the time-triggered interface. We focus on the 
receiver correctness and therefore assume correctness on the sender part. We first precise this assumption. 
Then, we give an overview of the global proof structure. After that, we give our correctness statement and 
show the proof of two important lemmas: Lemma [T] and Lemma [2] Lemma [T] shows the possible states in 
which the receiver can be after reading the synchronization sequence BSS. Lemma [2] extends this result to 
show that for all these possible states bytes can be sampled correctly. Theorem [T] - the main correctness 
theorem of the hardware interface - is proven by induction on the number of bytes in a message. We conclude 
this Section by showing how Lemma [2] is used in the induction step. 



7.1 Assumptions: sender correctness 

The sender is proven to effectively generate each bit for eight clock cycles. This discharges the digital 
hypotheses of Proposition [5] Formally, this is defined as follows, where / denotes the number of bytes in a 
message: 

Definition 5. Correctness of ce s . 

WF ce (ce s ,l,k,c) = Mi < I, ce s [c + 8 ■ i] = A V? 6 [1 : k], ce s [c + 8 ■ i + j] = 

We prove that the sender generates frames with the specified format. For the purpose of this paper, 
we are only concerned with synchronization bits, i.e., the BSS sequence. This is expressed by the following 
predicate, where I denotes the number of bytes in a message: 



Definition 6. Partial Correctness of inp s . 

WF mp (m Ps ,l, c) = Vz < I, Vy £ [0 : 7] 



inp s [c + 80 * i + 16 + y - 1] = 1 
A inp s [c + 80 * i + 24 + y - 1] = 



7.2 Proof roadmap 

Senders send frames composed by two initial bit sequences - the transmission start sequence (TSS) and 
the frame start sequence (FSS) - followed by a number of bytes, say I bytes. Before sending each byte a 
synchronization sequence - the falling edge made of BSS[0] and BSS[1] - is sent. Our objective is to prove 
that each byte is received properly. We take as reference the time point when a receiver reads the first copy 
of bit BSS[0]. In this section, this time point is referred to with t. When reading the initial bit sequences 
or the previous byte, receivers have different configurations when starting reading a byte at time t. We first 
show the different possible states after reading the initial bit sequences, i.e., the states before reading the 
first byte. 

We illustrate these different possible states in Figure [TOJ The first two lines show the output of the sender 
and how it is seen by the receiver. Black boxes indicate possible metastabilities. We first need a mark and 
assume that cycle £ is the first affected cycle. Because of clock drift, the BSS[0]-mark may appear on the 
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mk(£,c) mfc(£ + 16+[-l:l],c+16) 

e s (c) TSS FSS BSS j j 

outs 1 1 1 \ 1 1 1 1 1 1 I 11111111 

inp r mO OOOOOOBlllllllllllllll 

1 pi + 16 

Pi = 2 = BSS[0] A cnt = Oil 

Pi = 1 z — FSS A cnt = 010 

Figure 13: Initial Transmission Phase 



receiver side 15 (x = —1), 16 (x = 0) or 17 (x = 1) cycles after £. There is a potential metastability at cycle 
£. Depending on the value reached after resolution - that is depending on the value of /3| - the receiver 
automaton reaches different state and counter values when the BSS[0]-mark is detected. In the figure, we 
show these values at /3| + 16, where the automaton is either in state BSS[0] with a counter at Oil or in state 
FSS with a counter at 010. This corresponds to the case where x — 0. If x = 1, then the receiver automaton 
reaches state BSS[0] 17 cycles after £ and with counter value 100. 

The base case and all the sub-cases of the induction step are proven using two main lemmas. The 
first one states that synchronization occurs while sampling the synchronization sequence. It shows for all 
possible states of the receiver before reading the BSS sequence which are the possible states after reading 
this sequence. The second lemma shows that this synchronization is good enough to sample a byte. It shows 
for all possible states after reading the BSS sequence the byte can be sampled properly. Its proof shows the 
correct value of the counter used in the bit-clock synchronization algorithm. 



7.3 Main statement 

The main theorem is shown below. The first line contains hypotheses about the low level aspects (Ti), our 
integration of the analog and the digital worlds (Equation [5]), and our assumption that the sender is correct. 
The first bit of the message is put on the bus as sender cycle c and the first "affected" receiver cycle is cycle 
£. These two facts are hidden in hypothesis H[k < 7, n < 6]. In the second line, we simply assume that the 
initial state is idle and that each bit of a byte is indexed by j. 

Theorem 1. Transmission Correctness. 

H[k < 7,n< 6] A Equation fjA WF ce (ce s , I, k,c) A WF mp (out s , I, c) 
A zt = idle A j G [7 : 0] 

— > 

Vi < I, 3u, mk(v, c + 16 + 80 • i) (* bssO mark *) 

A 

mk(v + 7, c + 24 + 80 • i) (*bssl mark*) 

z-+78 = b [7] A enp+n = 010 A BYTE"+ 79 = ( ou ^ +16+80 ' l+8 - (j+2) ) 

V 

(mk(u + 7, c + 24 + 80 • i) V mk(v + 8, c + 24 + 80 • i))(*bssl mark*) 
z-+79 = 6[ 7 ] A cn< -+79 = oio A BYTE^ 80 = ( ou ^ +16+80 ' l+8 -°' +2) ) 

V 

(mk(u + 8, c + 24 + 80 • i) V mk{v + 9, c + 24 + 80 • i))(*bssl mark*) 
z-+80 = 6 [7] A cnt»+ 80 = 010 A BYTE"+ 81 = < o ^ +16+80 ' l+8 -°' +2) ) 

V 

mk{v + 9, c + 24 + 80 • i) (*bssl mark*) 

= b[7] A cnt»+ sl - 010 A BYTE"+ 82 = < o ^ +16+80 ' l+8 -°' +2) ) 
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Figure 14: Traversing synchronization edges 



The conclusion reads "for each byte i of a message containing I bytes, there exists a receiver cycle v from 
which the receiver samples the byte correctly" . The conclusion is a conjunction of two terms. The first one 
expresses the knowledge of the receiver about the first bit of the synchronization sequence (BSS[0]). The 
knowledge of this " mark" and clock drift induces three possible positions for the second bit of this sequence. 
These three possible positions imply four different ways of sampling a byte. This is explained using the 
drift factor \ and the metastability factor (3. The former can take three values: —1, 0, or 1. The latter is 
either or 1. Combining these two factors, we obtain four possibilities: —1,0,1,2. Because of these four 
possibilities, the total number of cycles needed to sample a byte can have four different values. These values 
are expressed by the second term of the conclusion. In each case, state and counter values mean that the last 
bit has been sampled. One cycle after that, the byte register is properly updated. Finally, it takes between 
79 to 82 cycles to sample a byte. 

This theorem also proves lower and upper bounds on the time at which the last bit of one byte is 
recovered. From a simple computation based on the marks of the conclusion, these bounds can be expressed 
as functions of the reference clock (r re f) and the time (e s (c)) when the first bit is put on the bus by the 
sender. 

7.4 Lemma 1: Crossing synchronization edges 

The objective of Lemma [T] is to prove for all possible states before reading the synchronization sequence 
(BSS) what are the possible states after reading this sequence. We illustrate the proof when reading the 
first byte, i.e., after reading the initial bit sequences. The other cases are discussed in Section [71)1 about the 
induction step. Our reasoning is illustrated in Figure Q31 The first two lines show the output of the sender 
and how it is seen by the receiver. Black boxes indicate possible metastability. Question marks are used to 
denote unknown values. 

As explained in Section [7.21 the receiver may be in different configurations at the time of the detection of 
the BSS[0]-mark. We fix the initial step of the lemma to match the time of the detection of the BSS[0]-mark. 
We consider the case where the receiver is in state BSS[0] with a counter value at either Oil or 100. The 
other cases are proven in a similar way. 

According to Proposition [2] and assuming that the BSS[0]-mark is known, the BSS[l]-mark has three 
possible times (one for each value of x). The potential metastability around that edge has the same three 
times. We consider bits sampled by the receiver at these times unknown. At most, three bits arc unknown. 
Depending on the values of these three bits, the automaton will spend more or less time in the states of BSS. 
There is synchronization if the lower and the upper bound on this number of cycles allow proper sampling. 
These bounds are defined by Lemma [TJ which proves that the automaton reaches state b[0] with counter 
value 011 in at least 15 and at most 18 cycles. We now explain the proof of these lower and upper bounds. 

Let t be the time of the affected cycle of BSS[0]. If the three unknown bits are (see line 3 "earlier sync" 
in Figure [T4| . signal sync is high att + 7 + 4 = t+ ll. The counter is reset and signal strobe is high at 
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i + ll + 3 = i+14. In the next cycle, the automaton reaches state z t+15 = b[0}. For any lower value of the 
counter, the automaton will reach this state earlier. 

If the unknown bits are 1 (see line 4 " latest sync" in Figure RH)) , signal sync is high at t+10 + 4 = t + 14. 
If the counter was 100 initially, then it has reached value 010 and strobe is high. At the same time, signal 
sync is high, the automaton stays in BSS[0], and the counter is reset. At cycle t + 17, strobe is high and the 
automaton reaches b[0] with a correct counter value at t + 18. For any larger value, the automaton requires 
more cycles to reach this state. 

The main statement includes all possible configurations when sampling the first byte, but also all possible 
configurations when sampling byte i in the induction step. This statement assumes that the time of the first 
bit of the first part of the synchronization sequence (the "BSS[0]-mark") is known by the reader (mk(t, c+16)). 
The conclusion contains the four possible ways to sample the synchronization sequence. In each term of the 
disjunction, we know the position of the first bit of the second part of the synchronization sequence (BSS[1]). 
This knowledge is crucial to prove that synchronization is good enough to sample bits correctly (Lemma [2] 
Section [731). 

Lemma 1. Synchronization 

mk(t,c+ 16) (* bssO mark *) 
A (*Next are hyps, about starting point for the lemma*) 

(z* = BSS[0] A cnt f G {Oil, 100} Vz 4 = FSS[0] A cnt 1 G {001, 010} 
Vz* = b[7] A cut 1 G {001,010,011, 100}) (*for induction step*) 

-> 

mk(t + 7, c + 24) A (* bssl mark *) 
z t+15 = b[0] A cnt t+15 = 011 

V 

(mk(t + 7, c + 24) V mk{t + 8, c + 24)) A (* bssl mark *) 
z t+16 = b[0) A cnt t+w = 011 

V 

(mk(t + 8, c + 24) V mk(t + 9, c + 24)) A (* bssl mark *) 
z t+n = 6 [ ] A cnt t+n = 011 

V 

mk(t + 9, c + 24) A (* bssl mark *) 
z t+ls = b[0] A cnt t+18 = 011 

This lemma is proven following the same approach as the one used to prove the correctness of voted bits 
(see Section [6.2[1 . The idea is to obtain from the low level model which inputs are unknown and prove that 
the design works properly for all possible values of these unknown inputs. 

As suggested by the informal description of the proof, there are at most three unknown inputs. In fact, 
for each position of the BSS[l]-mark, only one input is unknown. It is the bit that appears exactly on this 
mark and it is due to mctastability. For instance, if the mark is at its earlier position (see line "Earliest 
sync" in Figure I14p , then the only unknown input is at time t + 7. Because instantiating Proposition [B] for 
this mark gives us that bits from t + 8 are known. In a similar way, if the mark is at its latest position (see 
line 4 "latest sync" in Figure [H)) . then we also know that inputs at t + 7 and t + 8 must be one. This is 
due to our assumption that clock drift is bounded, i.e., bits at t + 7 and t + 8 are still in the safe sampling 
window starting at the BSS[0]-mark. 

For each position of the BSS[l]-mark, we prove a lemma on the digital design, which shows the two 
possible lengths to sample the synchronization sequence. For instance, if the BSS[l]-mark appears at t + 7, 
we prove that sampling the synchronization sequence takes 15 to 16 cycles. This is expressed in Proposition ll2l 
below. The hypotheses first state that at times t + 1 until t + 6 six good copies of BSS[0] are known and that 
at times t + 8 until t + 13 six good copies of BSS[1] are known. Input at time t + 7 is left unspecified and the 
model-checker will have to consider all possible values. The rest of the hypotheses state the different receiver 
states and counter- value that are possible at time t when reading the first copy of BSS[0]. The conclusion 
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Figure 15: Sampling bytes correctly 



shows the time points when the receiver reaches state b[0) with counter-value Oil, i.e., after reading the BSS 
sequence. 

Proposition 12. 

Vit G [0 : 5],inp t+1+u = 1 A W e [0 : 5],inp t+8+v = (* 2x6 bits known *) 
A (z* = BSS[0] A cni* G {010, 011} V z t = FSS A cn£* G {001, 010} (*a*) 
Vz* = 6[7] A cni f G {001, 010, 011, 100}) (*b*) 

— > 

z t+15 = b[0) A cnt t+lb = Oil V z t+16 = b[0] A cnt t+16 = 011 

Proof. By IHaVcIt. For efficiency of the computations, we decompose this proposition in two propositions. 
We prove the conclusion assuming hypotheses (*a*) in one proposition. In another one, we prove the 
conclusion assuming (*b*). Each proof is fully automatic. □ 



7.5 Lemma 2: Sampling bytes correctly 

The previous Lemma shows the different possible states of the receiver after and before reading the BSS 
sequence. Lemma [5] shows that it is possible to sample the transmitted byte for all these possibilities. Let t 
denote the receiver cycle reading the first copy of BSS[0]. To simplify, we only consider the case where the 
receiver is in state z* = BSS[0] with counter cni* = 011 when reading the first bit of BSS[0]. This case is 
pictured in Figure 1151 All other cases would be proven in a similar way. The first two lines show the digital 
output (out s in Figure[2]) of the sender and the digital input of the receiver (inp r in Figure [2]). Black boxes 
show potential metastabilities and a '?' illustrates the fact that the eighth copy is not certainly correct. 
Line "Earliest Sync" considers the shortest traversal of the synchronization sequence. State b[0] is reached 
after 15 cycles (t + 15). Line "Latest Sync" considers the longest traversal of the synchronization sequence. 
State b[0] is reached after 18 cycles (t + 18). The large box shows the values of the voted bit, which is 
simply the receiver input delayed by four cycles. The first line shows the case of no metastability - or good 
resolution of it (f3 = 0) - when reading the first copy of b[0]. The second lines shows bad resolution of the 
metastability (/? = 1). Numbers indicate cycle numbers counting from time t when the receiver reads the 
first copy of BSS[0]. The possible strobe points for the earliest and latest synchronization are also shown. In 
total there are four possible strobe points depending on the four durations of traversing the synchronization 
sequence. Strobing appears at t + [15 : 18] + 7 for b[0}. In general, for any bit b[j] strobing appears at 
£ + [15 : 18] + 8 • j + 7. We see here that the position of the strobe points is fully determined by the traversal 
of the synchronization sequence BSS. It does not depend on clock drift. In contrast, the relative position 
of the voted bits may shift by one cycle. This is represented by the different values of drift factor \- The 
objective of Lemma [2] is to prove that all strobe points coincide with a good voted bit. 
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7.5.1 Positions of the voted bits 



We assumed that at receiver cycle t the first bit of BSS[0] is read. This bit was put on the bus at sender 
cycle c. We are interesting in the bits sent after the two bits of the BSS sequence. We want to read bit b[j] 
which is put on the bus 8 • (j + 2) cycles after cycle c. We simply instantiate Proposition [TT] (Section 16. 2[) 
with £ = t and a = 8 • (j + 2) and obtain the following: 

V 6 [4 : 10], v t+ ^ + V + x+^ ( tiT X+ * = out s [c + 8 • (j + 2) - 1] 

xe{-W} 

The right hand side of this equation denotes the value of the bit sent by the sender unit, i.e., b[j]. The left 
hand-side shows the different positions of the voted bits. There are seven good bits, i.e., one for every value 
of x 6 [4 : 10]. Ideally, each bit b[j] is read at receiver cycle t + 8 ■ (j + 2). Because of clock drift, this can 
suffer an error of one cycle. Each bit b[j) is then read at cycle t + 8 • (j + 2) + x- For each bit b[j), there 
might be a metastability when reading the first copy of it, i.e., at receiver cycle t + 8 • (j + 2) + \- The effect 
of this metastability is expressed by /3*+|'&2) X ; simply written (3 in the remainder of this section. 

For every bit b\j], the position of the corresponding good voted bits is equal to the following expression: 

t + 8 • (j + 2) + /3 + x + x 

The objective of Lemma [2] is to show that there is always an x € [4 : 10] to match the position of a 
strobe point with a voted bit. Formally, we have to solve the following equality where the left hand side 
corresponds to strobe points and the right hand side to the cycles at which the voted bit is correct. 

t + [15 : 18] + 8 • j + 7 = t + a + (3 + X + x (6) 

7.5.2 Smallest value of x 

The minimum x is required when the right hand side is maximized and the left hand side of the equality is 
the earliest cycle. This means that the receiver is one cycle behind the sender. Because clock ticks differ at 
most by one, this implies that x cannot take value l.The right hand side is therefore maximized with j3 = 1 
and x = 0- We need to find x such that: 

t + 15 + 8- j + 7 = t + 16 + 8-j + l + + a; 

The solution is x = 5. If the receiver would strobe at counter value 001, traversing the synchronization edges 
would take a cycle less. Strobe points would be positioned at t + [14 : 17] + 8 • j + 7. The above equation 
would become < + 14 + 8-j + 7 = t + 16 + 8- j + l + + x. The solution would be x = 4 and would still 
be in the interval [4 : 10]. This means that counter value 001 would be a limit, i.e., the earliest working 
synchronization point. 

Statement 1. The lowest reset value of counter cnt is 001. As the counter is reset to 000, the lowest 
difference between the strobe and the reset points is one cycle. 

7.5.3 Largest value of x 

The maximum x is required when the right hand side is minimized and the left hand side of the equality is 
the latest cycle. This means that the receiver is one cycle ahead of the sender. Again, because of the bound 
on clock drift, this implies that x ~ 1- The right hand side is therefore minimized with f3 = and x = 0. 
Here, we need to find x such that: 

t + 18 + 8- j + 7 = t + 16 + 8- j + + + 2- 

The solution is x = 9. If the receiver would strobe at counter value 011, traversing the synchronization 
sequence would take one cycle more. Strobe points would be positioned at t + [16 : 19] + 8 • j + 7. The above 
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equality would become t + 19 + 8 ■ j + 7 = t + 16 + 8 • j + 1 + + x. The solution would be x = 10 and would 
still be in the interval [4 : 10]. Note that this counter value is equivalent to the one proposed by the Flex 
Ray standard pQ. Value 100 proposed in [3] would be outside this limit and is therefore not adequate. 

Statement 2. The largest reset value of counter cut is 011. As the counter is reset to 000 ; the largest 
difference between the strobe and the reset points is three cycles. 



7.5.4 Statement of Lemma [2] 



The main statement builds on Lemma [T] and shows the four different ways of sampling a byte, starting from 
the first bit of the synchronization sequence. In each way, we also have the knowledge of the BSS[l]-mark. 

Lemma 2. Sampling bytes correctly. 

mk(t, c + 16) 

A 0* = BSS[0] A cnt 1 G {010, 011} V z* = FSS A cnt* G {001, 010} 
Vz* = b[7] A cnt 1 G {001, 010, 011, 100}) 



— > 



V 



V 



V 



mk(t + 7,c + 24) 

Az t+7S = 6[7] A cnt t+78 = oio A BYTE*+ 79 = (out c s +16+8 - U+2) ),j G [7 : 0] 
(mk(t + 7, c + 24) V mk(t + 8, c + 24)) 



Az 



t+79 _ 



b[7] A cnt 



t+79 _ 



010 A BYTE t+8 ° = (out c s +16+Hl+2} ),3 G [7 : 0] 



(mk(t + 8, c + 24) V mk(t + 9, c + 24)) 



Az 
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b[7] A cnt 
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mfc(t + 9,c + 24) 

b[7] A cnt 
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t+81 _ 



t+81 _ 



010 A BYTE 



I+X2 
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7.6 Induction Step 

We perform a proof by induction on the number of bytes that is transmitted. We first extract an arbitrary 
cycle v from our induction hypothesis. We know that from this cycle we can sample byte % properly. We 
then use Lemma [2] to find a cycle from which byte i + 1 can also be recovered. This shows the existential 
quantification. For byte i, the induction hypothesis gives us a BSS[0]-mark. The other part of the induction 
hypothesis gives us four possible completion times for sampling byte i. Our induction hypothesis for an 
arbitrary v is as follows: 



A 



V 



V 



V 



mk(u, c + 16 + 80 • i) (* bssO mark *) 
mk(v + 7, c + 24 + 80 ■ i)(*bssl mark*) 

z»+ 78 = b[7] A cnt»+ 7S = 010ABYTE"+ 79 = {out c s +16+8 °-' l+H3+2) ) 

(mk(is + 7, c + 24 + 80 ■ i) V mkiv + 8, c + 24 + 80 ■ i))(*bssl mark*) 
z"+ 79 = b[7] A cnt»+ 79 = 010 A BYTE"+ 80 = {out c s +16+8 °- l+H3+2) ) 

(mk(is + 8, c + 24 + 80 ■ i) V mk(v + 9, c + 24 + 80 ■ i))(*bssl mark*) 
z ,+80 = 6[7] A cnt u+so = 01Q A BYTE^ 81 = {out c s +16+80 -' l+H3+2) } 

mk(y + 9, c + 24 + 80 ■ i)(*bssl mark*) 

z^+ 81 = b[7) A cnt»+ sl = 010 A BYTE^ 82 = ( ou ^ +16+8 °- i+8 - (j+2) ) 
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Figure 16: Induction step 



This induction hypothesis is pictured in Figure 1161 It starts with our arbitrary cycle v at which the 
receiver starts sampling byte i. Our induction hypothesis contains also marks (cycle fx) for the second part 
of the BSS sequence. Sampling byte % + 1 starts at cycle v' and BSS[1] is seen at cycle //. The idea of 
the proof is (1) knowing v and [i we obtain values for v' and // using Proposition [2] and (2) we instantiate 
Lemma [5] at v ' to show that byte i + 1 can be sampled properly. 

While sampling byte i, clocks are likely to drift. Consequently, the BSS[0]-mark (i.e., position of v') for 
the next byte is known with the error defined by x- From Proposition [2] with £ = v and a = 80 • i, we have 
v' = v + 80 + x- Thus, we have three different possible BSS[0]-marks for byte i + 1: 

\f mk(v + 80 + x,c+ 16 + 80- (i + 1)) 

x e{-i,o,i} 

To use Lemma [H we also need to know when the receiver control automaton sampled the last bit of the 
byte, i.e., when z = b[7]. There are four possible times corresponding to the four possible completion times 
of sampling byte i. At the end, we have 4*3 = 12 cases in our induction step. 

Let us consider the case where there is no drift and the receiver sees the first bit of the next BSS sequence 
exactly 80 cycles after the previous one. Formally, we have: 

mk(v + 80, c + 16 + 80 • (i + 1)) 

For this perfect "mark" there are still four possible ways for the receiver to sample byte i. From the 
induction hypothesis, there are four possible times when the receiver is sampling the last bit and ready to 
strobe and move to state BSS[0], i.e., the receiver is in state b[7] with cnt = 010. Formally, we have the 
following cases: 

z v+78 = fe [ 7 j A cnt ^+rs 

V z»+ 79 = b[7] A cnt u+79 

V z v+m = b[7] A cnt v+w 

V z»+ 81 = b[7] A cnt»+ 81 

To instantiate Lemma [5J we need to obtain that the receiver is in state b[7] with a proper counter value 
when the sender puts the first bit of BSS on the bus, i.e., at v + 80, the time of the BSS[0]-mark. In the 
earliest case, the counter reaches value 010 at v + 78. So, at time v + 80 the counter has value 100. In the 
latest case, the counter equals 010 at v + 81 and therefore it has value 001 at time v + 80. In the remaining 
two cases, the values at time v + 80 would be 011 or 010. For all these cases, the premises of Lemma[2]are 
satisfied for t — v + 80 and c = c + 80 ■ i. This shows that there exist four possible cycles at which byte i + 1 
can be sampled properly for each one of these times. 

Let us consider the case when the BSS[0]-mark is early. Formally, we have: 

mk{v + 79, c+ 16 + 80- (i+1)) 

We have the same cases as Equation [7] But we must consider the counter value at time t = v + 79 
instead of v + 80. Assume the latest sampling time (the fourth case in Equation [7]) ■ The counter equals 010 
and z — b[7] at time v + 81. Consequently, at time v + 79 the counter is 000 and the receiver automaton 
is still sampling b [7]. Under this configuration it is not possible to instantiate Lemma [2] and in fact the 
receiver would not be able to synchronize. Note that the induction hypothesis also gives us the time of the 
BSS[l]-mark for byte i. For this latest case, we know that this mark was seen by the receiver at time v + 9, 



010 
010 
010 
010 



(7) 
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i.e., we have mk(v + 9,c + 24 + 80 • i). Applying Proposition [2] on this BSS[l]-mark with a = 72 gives us 
another three possible times for the BSS[0]-mark of byte i + 1. Formally, we have: 

\f mk(v + 9 + 72 + x, c + 24 + 80 ■ i + 80) (8) 

xe{-i,o,i} 

This means that the BSS[0]-mark is at the earliest (\ = —1) at v + 80. This contradicts our assumption that 
the mark is at v + 79. The remaining cases when the BSS[0]-mark is at v + 79 are proven using Lemma [5] 
as explained above. 

Let us consider the case when the BSS[0]-mark is late. Formally, we have: 

mk(v + 81, c + 16 + 80 • (i + 1)) 

Again we have the same cases as Equation [7] and must consider the counter value at time v + 81. Assume 
the earliest sampling time of byte i, i.e., the counter has value 010 at time i/ + 78. This means that at time 
i^ + 81, counter has value 101 and the receiver is in state BSS[0]. Under this configuration it is not possible to 
use Lemma [2] Here again we use the fact that the induction hypothesis gives us a time for the BSS[l]-mark 
from which we can derive a contradiction. In the earliest sampling time, this mark is for byte i at time v + 7 
and we have mk(y + 7, c + 24 + 80 • i). We apply Proposition [2] on this BSS[l]-mark with a — 72 to obtain 
three possible times for the BSS[0]-mark of byte i + 1. Formally, we have: 

\/ m£;(^ + 7+72 + x,c + 24 + 80-i + 80) (9) 

xe{-i.o,i} 

This means that the BSS[0]-mark is at the latest (x = +1) at v + 80. This contradicts our assumption that 
the mark is at v + 81. The remaining cases when the BSS[0]-mark is at v + 81 arc proven using Lemma [5] 
as explained earlier in this section. 

8 Related work 

The first verification effort about physical layer protocols was carried out by Moore [14] . Moore developed a 
general model of asynchronous communications as a function in the logic of the ACL2 theorem prover [12] . 
Moore's model assumes distortion around sampling edges and does not allow for clock jitter. Sender and 
receiver modules are also represented by two functions. Moore's correctness criterion states that the compo- 
sition of these three functions is an identity. He applied this approach to the verification of a Biphase-Mark 
protocol. 

Moore's work inspired many studies around this protocol. Recently, Vaandrager and de Groot [32] 
modeled the protocol and analog behaviors using a network of timed-automata. Their model is slightly 
more general than Moore's and allows for clock jitter. They can derive tighter bounds for the Biphase-Mark 
protocol. Previously, timed-automata have been used to verify a low level protocol based on Manchester 
encoding and developed by Philips [5] . Another recent proof of the Biphase-Mark protocol has been proposed 
by Brown and Pike |6] . They developed a general model of asynchronous communications in the formalism of 
the tool SAL [S] developed at SRI. Their model includes clock jitter and metastability. Using /c-induction, the 
verification of the parameterized specification of Brown and Pike is largely automatic. All these studies tackle 
•protocol specification only and not actual hardware implementation. They prove functional correctness. We 
prove a more precise theorem about a gate-level hardware implementation and from which bounds on the 
transmission duration can be derived. 

The verification of analog and mixed signal (AMS) designs is a relatively young research field. A re- 
cent survey gave an overview of this emerging research area [23) . The authors identify several successful 
applications of automatic techniques (equivalence checking, model checking, or run-time verification) in the 
context of AMS designs. Our work is more related to the last category identified in this survey, namely proof 
based methods. Hanna [101 [LT] used predicates to approximate analog behaviors at the transistor level. The 
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predicates can be embedded in digital proofs. His work is not specifically targeted to communication circuits 
and does not consider timing parameters, metastability or clock drift. We consider only gates and not their 
structure in terms of transistors. Recently, Al Sammanc et al. |17j proposed a new symbolic verification 
methodology based on the computer algebra system Mathcmatica. This approach is based on a combination 
of induction and symbolic simulations. It is suitable to systems that can be described using discrete-time 
models. One contribution of our work is to combine discrete-time models with continuous time models. 

9 Conclusion and future work 

We presented the correctness proof of a time-triggered interface implementing the bit-clock synchronization 
mechanism of the FlcxRay standard for automotive systems. This proof involves to simultaneously prove 
that the receiver keeps track of the correct bits and that its hardware allows for a proper synchronization. 
This difficulty comes from the fact that the hardware controls the state machine which in turn controls 
the hardware. The bit-clock synchronization algorithm works by resetting a counter when detecting a 
synchronization sequence. This specific value is a crucial parameter. Our proof reveals the exact values 
of this counter that guarantee reliable transmissions. This proves and disproves values proposed in the 
literature. Our proof is based on a general and precise model of asynchronous communications which 
includes clock drift, clock jitter and metastability. The proof is performed using a hybrid methodology that 
combines interactive reasoning in Isabclle/HOL and automatic model-checking using NuSMV within Isabelle 
via the tool IHaVelt. 

Our model of asynchronous communications is very general. The model is about 2 000 lines of Is- 
abelle/HOL code@. It can be easily re-used. A user deals only with Proposition [21 Proposition [31 and our 
drift assumption (Definition [1} . The design that we presented and analyzed is part of a more complex sys- 
tem which includes a fault-tolerant scheduler. Our model, its integration with IHaVelt, and the supporting 
methodology have been re- used to verify - at the gate-level - this fault-tolerant scheduler [3] . 

The proof presented here was developed in about one man-year and is about 8 000 lines. Most of the 
time was spent developing the model and checking whether the model was too weak or that there was an 
error in the design. We indeed discovered errors in early designs. Most of the proof about our FlexRay-like 
interface is dedicated to the deduction of valid digital inputs from the analog transmission. This technique 
is independent of the design under verification. If one would prove a similar design, one would be able to 
re-use most of these lemmas. The main task would be to adapt the digital lemmas to this new design. These 
lemmas would be proven automatically. We estimate that the time needed to develop such a new proof 
would be about a couple of weeks. 

An interesting future research direction would be to structure the proof in a way that will make this 
separation between design-dependent lemmas and more general ones explicit. To this end, we need to 
identify a set of constraints on the digital design that would be sufficient to prove our final theorem. This 
would reduce the analysis of similar designs to proving different instances of these digital propositions. 
The theorem proving efforts are performed while formalizing computer architectures. The verification of 
particular designs reduce to discharging a set of constraints which are more likely to fall into their scope and 
limit the state-space explosion problem. 

Acknowledgments 

Part of this work was carried out while the author was affiliated with the University of Saarland, Saarbriicken, 
Germany. This work was funded by the German Federal Ministry of Education and Research (bmb+f ) in the 
framework of the Verisoft project under grant 01 IS C38. This work initiated from the lecture "Computer 
Architecture 2 - Automotive Systems" given by Paul at Saarland University and notes taken by studcntt0. 

5 See |http://www.cs. ru.nl/~ julicn/ Julicn_at_Nijmege n7corrll.html| 

6 www- wj p . cs . uni-sb .de/lehre/lehre.php 



28 



References 



[1] FlexRay Communication System - Protocol Layer Specification v2.1, Rev A, FlexRay Consortium, 
December 2005. 

[2] E. Alkassar, P. Bohm, and S. Knapp. Correctness of a fault-tolerant real-time scheduler and its hardware 
implementation. In Sixth ACM-IEEE International Conference on Formal Methods and Models for 
Codesign (MEMOCODE'08), pages 175-186. IEEE Computer Society, 2008. 

[3] C. Baier and J. -P. Katoen. Principles of Model Checking (Representation and Mind Series). The MIT 
Press, 2008. 

[4] S. Beyer, P. Bohm, M. Gerke, M. Hillebrand, T. In der Rieden, S. Knapp, D. Leinenbach, and W. J. 
Paul. Towards the formal verification of lower system layers in automotive systems. In ICCD '05: 
Proceedings of the 2005 International Conference on Computer Design, 2005. 

[5] D. Bosscher, I. Polak, and F. W. Vaandrager. Verification of an audio control protocol. In ProCoS: 
Proceedings of the Third International Symposium Organized Jointly with the Working Group Prov- 
ably Correct Systems on Formal Techniques in Real-Time and Fault- Tolerant Systems, pages 170-192, 
London, UK, 1994. Springer- Verlag. 

[6] G. M. Brown and L. Pike. Easy Parameterized Verification of Biphase Mark and 8N1 Protocols. In 
The Proceedings of the 12th International Conference on Tools and the Construction of Algorithms 
(TACAS'06), volume 3920 of LNCS, pages 58-72, 2006. 

[7] A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, and 
A. Tacchella. NuSMV 2: An opensourcc tool for symbolic model checking. In Proceedings of the 
14th International Conference on Computer Aided Verification (CAV'02), volume 2404 of LNCS, pages 
359-364, Copenhagen, Denmark, July 27-31 2002. Springer. 

[8] E. Clarke, O. Grumbcrg, and D. Pclcd. Model Checking. MIT Press, 1999. 

[9] L. dc Moura, S. Owre, H. Ruefi, J. Rushby, N. Shankar, M. Sorca, and A. Tiwari. SAL 2. In R. Alur 
and D. Peled, editors, Computer- Aided Verification, CAV 2004, volume 3114 of LNCS, pages 496-500, 
Boston, MA, 2004. Springer- Verlag. 

[10] K. Hanna. Reasoning about real circuits. In Proceedings of the 7th International Workshop on Higher 
Order Logic Theorem Proving and Its Applications, pages 235-253, London, UK, 1994. Springer- Verlag. 

[11] K. Hanna. Automatic verification of mixed-level logic circuits. In FMCAD '98: Proceedings of the Second 
International Conference on Formal Methods in Computer- Aided Design, pages 133-166, London, UK, 
1998. Springer- Verlag. 

[12] M. Kaufmann, P. Manolios, and J Strother Moore. ACL2 Computer Aided Reasoning: An Approach. 
Kluwer Academic Press, 2000. 

[13] R. Manner. Metastable states in asynchronous digital systems: Avoidable or unavoidable. Microelec- 
tronic Reliability, 28(2):295-307, 1988. 

[14] J Strother Moore. A Formal Model of Asynchronous Communications and Its Use in Mechanically 
Verifying a Biphase Mark Protocol. Formal Aspects of Computing, 6(1):60-91, 1993. 

[15] T. Nipkow, L.C. Paulson, and M. Wenzel. Isabelle/HOL: A Proof Assistant for Higher-Order Logic, 
volume 2283 of LNCS. Springer, 2002. 

[16] V. Sagdeo. The Complete VERILOG Book. Kluwer Academic Publishers, Norwell, MA, USA, 1998. 



29 



[17] G. Al Sammane, M. H. Zaki, and S. Tahar. A symbolic methodology for the verification of analog and 
mixed signal designs. In DATE, pages 249-254, 2007. 

[18] J. Schmaltz. A Formal Model of Lower System Layer. In Formal Methods in Computer- Aided Design 
(FMCAD'06), San Jose, CA, USA, November 12-16 2006. IEEE/ACM. 

[19] J. Schmaltz. A Formal Model of Clock Domain Crossing and Automated Verification of Time- Triggered 
Hardware. In J. Baumgartner and M. Sheeran, editors, Formal Methods in Computer- Aided Design 
(FMCAD'07), Austin, TX, USA, 11-14 November 2007. IEEE/ACM. 

[20] S. Tverdyshev. Formal Verification of Gate-Level Computer Systems. PhD thesis, Saarland University, 
Computer Science Department, 2009. 

[21] S. Tverdyshev and E. Alkassar. Efficient bit-level model reductions for automated hardware verification. 
In S. Dcmri and C. S. Jensen, editors, 15th International Symposium on Temporal Representation and 
Reasoning: TIME2008, pages pp. 164-172. IEEE Computer Society Press, 2008. 

[22] F. W. Vaandrager and A. de Groot. Analysis of a biphase mark protocol with uppaal and pvs. Formal 
Asp. Comput., 18(4):433-458, 2006. 

[23] M. H. Zaki, S. Tahar, and G. Bois. Formal verification of analog and mixed signal designs: a survey. 
Microelectronics Journal, 39:1395-1404, 2008. 



30 



